Borrowers can be sandwiched with an auction length change to steal their funds
Summary
Borrowers can be sandwiched with an auction length change, resulting in them being liquidatable immediately, and thus stealing their funds.
Vulnerability Details
When a user (borrower) submits a transaction to borrow(), the pool owner (lender) can frontrun the borrower transaction with a call to setPool() and set the auction length to 1 (1 second). The borrower's transaction subsequently gets executed, since there is no way for the borrower to limit the minimum auction length they are willing to accept. The malicious lender can then backrun the borrower and start an auction within the same block of the borrow. Since the auction length is 1 second, the auction will have already ended in the next block. This allows the lender to liquidate the borrower and take their collateral.
Impact
Borrowers's collateral can be stolen.
Tools Used
None
Recommendations
Add a uint256 minAuctionLength parameter to the Borrow struct that should be verified within borrow():
Even without a sandwich attack, it would be beneficial to generally limit the minimum auction length through a constant like MIN_AUCTION_LENGTH, to avoid users who are not fully familiar with the auction concept to enter pools with a very short auction length.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.